Project 4: File systems

Due Date: Thursday, December 13th at 11 pm.

Goals

Project Description

On March 18, 1990, the Isabella Stewart Gardner Museum in Boston, MA, was robbed by two unknown white males dressed in police uniforms and identifying themselves as Boston police officers. The unknown subjects gained entrance into the museum by advising on-duty security personnel that they were responding to a call of a disturbance within the compound. Security, contrary to museum regulations, allowed the unknown subjects into the facility. Upon gaining entry, the two unknown subjects abducted the on duty security personnel, securing both guards with duct tape and handcuffs in separate remote areas of the museum's basement. The unknown subjects brandished no weapons, nor were any weapons seen during this heist. Other than a "panic" button located behind the guards' watch desk area, the museum alarm system was internally only. Since the panic button was not activated, no actual police notification was made during the robbery. The video surveillance film was seized by the unknown subjects prior to their departure. While in the museum from the hours of 1:24 a.m. to 2:45 a.m., the unknown subjects seized many works of art, the values of which have been estimated as high as $300 million.

Just last week, during a routine traffic stop, police identified a possible subject. The subject's motor vehicle contained, among other items, a hard drive (without the laptop). Although the subject had apparently attempted to delete all files on drive, the subject was naive (or in a rush) and only deleted the files rather than overwriting or reformatting the disk. This means that most data and indeed most of the file control blocks still reside on disk.

You are part of the forensics team attempting to reconstruct the disk's contents. You have been given a region of the disk to reconstruct. So far other members of your team have determined that the file system was on a little- Endian machine running some form of UNIX with an inode structure:


#define N_DBLOCKS 10
#define N_IBLOCKS 4
struct inode {
    int unknown; /* Unknown field */
    int protect; /* protection field */
    int nlink; /* Number of links to this file */
    int size; /* Number of bytes in file */
    int uid; /* Owner's user ID */
    int gid; /* Owner's group ID */
    int ctime; /* Time field */
    int mtime; /* Time field */
    int atime; /* Time field */
    int dblocks[N_DBLOCKS]; /* Pointers to data blocks */
    int iblocks[N_IBLOCKS]; /* Pointers to indirect blocks */
    int i2block; /* Pointer to doubly indirect block */
    int i3block; /* Pointer to triply indirect block */
};
a block size of 1024 bytes; and the owner's UID and GID appear to be 18390 and 9921 respectively (these are in decimal format). The data file containing your assigned region of the disk appears at www.cs.wisc.edu/~537-2/Projects/P4/datafile in AFS at ~cs537-2/public/Projects/P4/datafile. It should be 10485760 bytes after you download it. Be sure to download it as a binary file.

If you finish this file, there is a second region found on the same disk (but at a different offset from the start). The data file for this region of the disk appears at www.cs.wisc.edu/~537-2/Projects/P4/datafile2 in AFS at ~cs537-2/public/Projects/P4/datafile2. It should also be 10485760 bytes after you download it. Be sure to download it as a binary file.

Project Specification

Your assignment is as follows:
  1. Reconstruct any files that can be found in your assigned disk region.
  2. Produce a list of any data blocks (numbered from zero) that are not used by the above files; these will be needed by other teams reconstructing other regions of the disk.
  3. Identify the perpetrator if possible and explain why you suspect him or her.
  4. Answer the following questions:
    1. Describe your algorithm for solving this problem. Note: you must provide a description of TWO algorithms: [1] The steps by which you (the human) solved the problem (i.e., how did you construct the program?); [2] The steps your finished program takes to solve the problem
    2. What is the complexity of your algorithm (e.g., O(n)) in terms of the number of inodes? Number of data blocks?
    3. What files did you find? Provide a brief description of each (file format and, if known, what the contents represent) Hint: look for "magic numbers" (http://www.garykessler.net/library/file_sigs.html).
    4. What blocks were unidentified? Provide a list of these blocks.
    5. Which files, if any, use the indirect block? Doubly indirect? Triply indirect?
    6. If the inodes were not included in the data file, could these files still be reconstructed? Why or why not? If the inodes existed somewhere but the uid and gid were not known, could these files still be reconstructed? Why or why not?

What to turn in

Turn in your code to the directory ~cs537-2/handin/yourname/P4 by the specified due date for the code. Email your project writeup directly to the instructors mailing list (instruct537-2@cs.wisc.edu) by the due date for the writeup.

Grading Policy

To be determined ...
Last modified: Mon Dec 3 16:33:01 CST 2007